aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DNS: convert dns_query to sticky buffer

Browse Source
pull/414/merge
Victor Julien 12 years ago
parent 7292998a58
commit f353fb630c
5 changed files with 68 additions and 44 deletions
Show Stats Download Patch File Download Diff File

30
src/detect-dns-query.c
Unescape Escape View File

@ -89,10 +89,8 @@ void DetectDnsQueryRegister (void) {
static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
DETECT_AL_DNS_QUERY,
DETECT_SM_LIST_DNSQUERY_MATCH,
ALPROTO_DNS, NULL);
s->list = DETECT_SM_LIST_DNSQUERY_MATCH;
return 0;
}
/**
@ -170,7 +168,7 @@ static int DetectDnsQueryTest01(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
@ -288,13 +286,13 @@ static int DetectDnsQueryTest02(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.com\"; nocase; dns_query; sid:1;)");
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.net\"; nocase; dns_query; sid:2;)");
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
@ -518,7 +516,7 @@ static int DetectDnsQueryTest04(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
@ -663,13 +661,13 @@ static int DetectDnsQueryTest05(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.com\"; nocase; dns_query; sid:1;)");
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.net\"; nocase; dns_query; sid:2;)");
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
@ -813,15 +811,15 @@ static int DetectDnsQueryTest06(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; "
"pcre:\"/google\\.com$/iF\"; sid:1;)");
"dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; "
"pcre:\"/^\\.[a-z]{2,3}$/iRF\"; sid:2;)");
"dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
if (s == NULL) {
goto end;
}
@ -945,13 +943,13 @@ static int DetectDnsQueryTest07(void) {
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.com\"; nocase; dns_query; sid:1;)");
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google.net\"; nocase; dns_query; sid:2;)");
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}

2
src/detect-engine-mpm.c
Unescape Escape View File

@ -2896,7 +2896,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint
r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
if (r == NULL) {
if (s->list != DETECT_SM_LIST_NOTSET) {
BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH));
BUG_ON(sm_list != DETECT_SM_LIST_HSBDMATCH && sm_list != DETECT_SM_LIST_DMATCH && sm_list != DETECT_SM_LIST_DNSQUERY_MATCH);
e->id = ht->max_id;
ht->max_id++;
id = e->id;

51
src/detect-isdataat.c
Unescape Escape View File

@ -1054,6 +1054,56 @@ static int DetectIsdataatTestParse15(void)
return result;
}
/**
* \test dns_query with isdataat relative to it
*/
static int DetectIsdataatTestParse16(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Signature *s = NULL;
DetectIsdataatData *data = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing dns_query and isdataat\"; "
"dns_query; isdataat:!4,relative; sid:1;)");
if (de_ctx->sig_list == NULL) {
printf("sig parse: ");
goto end;
}
s = de_ctx->sig_list;
if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH] == NULL) {
printf("dns_query list empty: ");
goto end;
}
if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->type != DETECT_ISDATAAT) {
printf("last dns_query body sm not isdataat: ");
goto end;
}
data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->ctx;
if ( !(data->flags & ISDATAAT_RELATIVE) ||
(data->flags & ISDATAAT_RAWBYTES) ||
!(data->flags & ISDATAAT_NEGATED) ) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test DetectIsdataatTestPacket01 is a test to check matches of
* isdataat, and isdataat relative
@ -1177,6 +1227,7 @@ void DetectIsdataatRegisterTests(void) {
UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13, 1);
UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14, 1);
UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15, 1);
UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16, 1);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1);
UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1);

27
src/detect-pcre.c
Unescape Escape View File

@ -471,10 +471,6 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
/* snort's option */
pd->flags |= DETECT_PCRE_HTTP_STAT_CODE;
break;
case 'F':
/* suricata extension (dns query name) */
pd->flags |= DETECT_PCRE_DNS_QUERY;
break;
default:
SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op);
goto error;
@ -697,22 +693,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
}
}
if (pd->flags & DETECT_PCRE_DNS_QUERY) {
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DNS) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"Conflicting alprotos detected for this rule. Dns "
"pcre modifier found along with a different protocol "
"for the rule.");
goto error;
}
if (s->list != DETECT_SM_LIST_NOTSET) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns "
"modifier set, with file_data/dce_stub_data sticky "
"option set.");
goto error;
}
}
int sm_list;
if (s->list != DETECT_SM_LIST_NOTSET) {
if (s->list == DETECT_SM_LIST_HSBDMATCH) {
@ -720,6 +700,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
AppLayerHtpEnableResponseBodyCallback();
} else if (s->list == DETECT_SM_LIST_DMATCH) {
SCLogDebug("adding to dmatch list because of dce_stub_data");
} else if (s->list == DETECT_SM_LIST_DNSQUERY_MATCH) {
SCLogDebug("adding to DETECT_SM_LIST_DNSQUERY_MATCH list because of dns_query");
}
s->flags |= SIG_FLAG_APPLAYER;
sm_list = s->list;
@ -786,11 +768,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
sm_list = DETECT_SM_LIST_HUADMATCH;
} else if (pd->flags & DETECT_PCRE_DNS_QUERY) {
SCLogDebug("DNS query inspection modifier set on pcre");
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_DNS;
sm_list = DETECT_SM_LIST_DNSQUERY_MATCH;
} else {
sm_list = DETECT_SM_LIST_PMATCH;
}

2
src/detect-pcre.h
Unescape Escape View File

@ -52,8 +52,6 @@
#define DETECT_PCRE_NEGATE 0x80000
#define DETECT_PCRE_CASELESS 0x100000
#define DETECT_PCRE_DNS_QUERY 0x200000
typedef struct DetectPcreData_ {
/* pcre options */
pcre *re;

Write Preview
Loading…
Cancel
Save